Kmart’s fine example of security breach management
Adam Robinson is a Security Engineer with Loop Technology who specialises in the deployment and management of Intel Security based solutions. He is also Loop’s Entrust SSL Certificate expert and he has a keen interest in analysing and unpacking malware. If you have a question for Adam, please email email@example.com.
Another day, another breach.
Today the breached is Kmart, an Australian general merchandiser selling a wide variety of items across a broad range of categories. Yesterday they discovered their online ordering system had been breached by unknown attackers. The breach included customers’ identity (name), email address, delivery and billing address, telephone number and product purchase details, although no credit card numbers or payment details.
Kmart inadvertently did something else yesterday: They set the bar for other Australian companies in declaring a breach had occurred
We've seen it time and time again with countless other breaches in recent years, including government leaks. For many organisations, the reaction has been to deny or delay. Think Ashley Madison – Deny it to the end.
Ashley Madison: No amount of Shhhh will hide your data breach.
'If we ignore it, it will go away'
'Perhaps the situation will go away in a news cycle or two'
'Nobody reads about this stuff'
'Something bigger will come up and everyone will forget'
'By giving credence to it, it just becomes a bigger story.'
When it comes to the IT world, things go wrong - Compromises happen. Malware happens. Ransomware happens. Stuff breaks.
The best security team in the world, armed with the very best technology, still cannot account for a rogue employee, or software bugs which create breaches, or shadow IT related breaches. The security team needs to win constantly, but the hacker only needs to win once.
While the deck is certainly stacked against us, there is still an enduring expectation of consumer privacy and security. To help meet this expectation, we often separate the data into subordinate systems, encrypt different parts of the data with a different private key or store the data in different parts of the world. And yet, things still can go wrong.
I’m not a public relations expert or a spin doctor, but looking at this situation, I believe Kmart have done a good job. Other Australian organisations would do well for themselves to learn this approach:
1. Proactively monitor critical systems and have people looking over this rather than dumping data into data silos.
2. When a breach is discovered, find out everything you can, inform all people whose details may have been exposed and contact the authorities.
3. Communicate everything you learn to those impacted.
4. Learn from your mistake.
Arguably as important as security itself, IT organizations need to have a plan in place on how to handle a compromise. Having a well-considered plan where clear, concise disclosures are made to the people and organizations affected is an important step. Then action must follow to determine the root cause and remediate the vulnerability. With detailed knowledge of the compromise, you can now target (no pun intended) those that have been affected with greater information, so that they can take steps on their side to protect themselves.
In a world in which hackers can hijack even our most protected and private networks, compliance dictates tighter standards than ever and the brutal way data breaches are reported in the news, the idea that an organization can cover up a data breach is simply reckless.
My message to Kmart and Wesfarmers: Well done.
You can find Kmart's full release Here.